From 9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c Mon Sep 17 00:00:00 2001 From: Marc Deslauriers Date: Wed, 30 Apr 2025 10:34:27 -0400 Subject: [PATCH] Fixed CVE-2025-32873 -- Mitigated potential DoS in strip_tags(). Thanks to Elias Myllymaki for the report, and Shai Berger and Jake Howard for the reviews. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com> Backport of 9f3419b from main. CVE: CVE-2025-32873 Upstream-Status: Backport https://github.com/django/django/commit/9cd8028f3e38dca8e51c1388f474eecbe7d6ca3c/ Signed-off-by: Saravanan --- django/utils/html.py | 6 ++++++ docs/releases/3.2.25.txt | 11 +++++++++++ tests/utils_tests/test_html.py | 15 ++++++++++++++- 3 files changed, 31 insertions(+), 1 deletion(-) diff --git a/django/utils/html.py b/django/utils/html.py index 5887bf1..1a3033e 100644 --- a/django/utils/html.py +++ b/django/utils/html.py @@ -33,6 +33,9 @@ simple_url_2_re = _lazy_re_compile( MAX_URL_LENGTH = 2048 MAX_STRIP_TAGS_DEPTH = 50 +# HTML tag that opens but has no closing ">" after 1k+ chars. +long_open_tag_without_closing_re = _lazy_re_compile(r"<[a-zA-Z][^>]{1000,}") + @keep_lazy(str, SafeString) def escape(text): @@ -184,6 +187,9 @@ def _strip_once(value): def strip_tags(value): """Return the given HTML with all tags stripped.""" value = str(value) + for long_open_tag in long_open_tag_without_closing_re.finditer(value): + if long_open_tag.group().count("<") >= MAX_STRIP_TAGS_DEPTH: + raise SuspiciousOperation # Note: in typical case this loop executes _strip_once twice (the second # execution does not remove any more tags). strip_tags_depth = 0 diff --git a/docs/releases/3.2.25.txt b/docs/releases/3.2.25.txt index f21bb47..2e113cc 100644 --- a/docs/releases/3.2.25.txt +++ b/docs/releases/3.2.25.txt @@ -82,6 +82,17 @@ Remember that absolutely NO guarantee is provided about the results of ``strip_tags()`` call without escaping it first, for example with :func:`django.utils.html.escape`. +CVE-2025-32873: Denial-of-service possibility in ``strip_tags()`` +================================================================= + +:func:`~django.utils.html.strip_tags` would be slow to evaluate certain inputs +containing large sequences of incomplete HTML tags. This function is used to +implement the :tfilter:`striptags` template filter, which was thus also +vulnerable. + +:func:`~django.utils.html.strip_tags` now raises a :exc:`.SuspiciousOperation` +exception if it encounters an unusually large number of unclosed opening tags. + Bugfixes ======== diff --git a/tests/utils_tests/test_html.py b/tests/utils_tests/test_html.py index 231f5d8..5c2de01 100644 --- a/tests/utils_tests/test_html.py +++ b/tests/utils_tests/test_html.py @@ -94,17 +94,30 @@ class TestUtilsHtml(SimpleTestCase): ('>br>br>br>X', 'XX'), ("<" * 50 + "a>" * 50, ""), + (">" + "" + "" * 51, "" with self.assertRaises(SuspiciousOperation): strip_tags(value) + def test_strip_tags_suspicious_operation_large_open_tags(self): + items = [ + ">" + "